The application has a validator form that either fails to
define a validate() method, or defines a validate() method but fails to call
super.validate().
Extended Description
If you do not call super.validate(), the Validation Framework cannot check
the contents of the form against a validation form. In other words, the
validation framework will be disabled for the given form.
Time of Introduction
Implementation
Applicable Platforms
Languages
Java
Common Consequences
Scope
Effect
Disabling the validation framework for a form exposes the application
to numerous types of attacks. Unchecked input is the root cause of
vulnerabilities like cross-site scripting, process control, and SQL
injection.
Potential Mitigations
Phase
Description
Implement the validate() method and call super.validate() within that
method.
Background Details
The Struts Validator uses a form's validate() method to check the contents
of the form properties against the constraints specified in the associated
validation form. That means the following classes have a validate() method
that is part of the validation framework: ValidatorForm,
ValidatorActionForm, DynaValidatorForm, and DynaValidatorActionForm. If you
create a class that extends one of these classes, and if your class
implements custom validation logic by overriding the validate() method, you
must call super.validate() in your validate() implementation.
Other Notes
Although J2EE applications are not generally susceptible to memory
corruption attacks, if a J2EE application interfaces with native code that
does not perform array bounds checking, an attacker may be able to use an
input validation mistake in the J2EE application to launch a buffer overflow
attack.
Weakness Ordinalities
Ordinality
Description
Primary
(where the
weakness exists independent of other weaknesses)
This could introduce other weaknesses related to missing input
validation.
Causal Nature
Explicit
Taxonomy Mappings
Mapped Taxonomy Name
Node ID
Fit
Mapped Node Name
7 Pernicious Kingdoms
Struts: Erroneous validate() Method
Maintenance Notes
The current description implies a loose composite of two separate
weaknesses, so this node might need to be split or converted into a
low-level category.
Content History
Submissions
Submission Date
Submitter
Organization
Source
7 Pernicious Kingdoms
Externally Mined
Modifications
Modification Date
Modifier
Organization
Source
2008-07-01
Eric Dalci
Cigital
External
updated Potential Mitigations,
Time of Introduction
2008-09-08
CWE Content Team
MITRE
Internal
updated Relationships, Other Notes, Taxonomy Mappings,
Weakness Ordinalities
2008-10-14
CWE Content Team
MITRE
Internal
updated Description,
Maintenance Notes
2008-11-24
CWE Content Team
MITRE
Internal
updated Background Details, Common Consequences,
Description, Other Notes, Relationship Notes
Description
